TCP shouldn't be an issue - since most firewalls will do some sort of state management for those connects.
My money's on the fact there ISN'T an an inbound firewall rule allowing UDP/53 to his DNS servers and tangental to that the fact that there is no static NAT enabled for the DNS servers internally. In other words, create a static NAT rule for the DNS servers with root hints enabled, and enable UDP/53 inbound to those hosts. DNS starts working again - this time consistently. The reason for inconsistency is most likely caused by the fact some resolutions will fall over to TCP, due to response size and some less regular occurances. -------- Roger Seielstad E-mail Geek & MS-MVP > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > Sent: Tuesday, November 16, 2004 7:41 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DNS Issues > > TCP or UDP through the firewall? > > What have you done to troubleshoot? Logs? ?? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Rimmerman, Russ > Sent: Tuesday, November 16, 2004 8:58 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DNS Issues > > Yes, all DNS is working fine except for some rare instances > of hostnames we've run into. Last week we couldn't get to > ftp.nai.com but now we can. > All our workstations are pointed to our child DCs for DNS. > They are set to forward to our empty root DCs, and the empty > root DCs have the root-hints, and the firewall allows them > out port 53. > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Robert Rutherford > Sent: Tuesday, November 16, 2004 7:53 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DNS Issues > > > > I'd advise using forwarding for the functions you require. > > > > It may seem stupid... but I take it the DNS server/s have > appropriate rules in your firewall/s? > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Rimmerman, Russ > Sent: 16 November 2004 13:48 > To: [EMAIL PROTECTED] > Subject: [ActiveDir] DNS Issues > > > > Since changing our DNS design from forwarding to our old > firewall which had root-hints built into it, to forwarding > our DNS to our empty forest root domain controllers with the > root-hints on them, we are not getting all our DNS lookups. > > > > For example, http://www.volksbanksalzburg.at right now is not > resolving for us. Yet if we RDP into one of our home PCs, it > resolves fine. So my question is, is there anything weird > about Windows 2000 root-hints or DNS servers that would cause > us to not be able to look up some hostnames properly in DNS? > Or what would cause this issue? > > > ============================================================== > ========= > Scanned for virus infection by Messagelabs > ============================================================== > ========= > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > This e-mail is confidential, may contain proprietary > information of the Cooper Cameron Corporation and its > operating Divisions and may be confidential or privileged. > > This e-mail should be read, copied, disseminated and/or used > only by the addressee. If you have received this message in > error please delete it, together with any attachments, from > your system. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > This e-mail is confidential, may contain proprietary > information of the Cooper Cameron Corporation and its > operating Divisions and may be confidential or privileged. > > This e-mail should be read, copied, disseminated and/or used > only by the addressee. If you have received this message in > error please delete it, together with any attachments, from > your system. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
